The company,
a startup called OneTrust, now based in a suburb on the city’s outskirts, makes
software for businesses trying to stay on the right side of the growing number
of internet regulations. In response to the new California law, OneTrust made
it easy for companies to set up a number to manage the requests.
In an
attempt to rein in tech giants such as Facebook and Google, governments around
the world in recent years have approved new laws governing how websites must
handle consumer data, treat their competitors and protect young people. The
European Union has a data-privacy law that governs the entire bloc. California
has approved two privacy measures in recent years, and other states have
followed suit.
Out of those
regulations has arisen something else: an industry to help companies navigate
the increasingly fragmented rules of the global internet.
It’s a
booming market. OneTrust, a leader in the field, has been valued by investors
at $5.3 billion. BigID, a competitor, raised $30 million in April at a $1.25
billion valuation. Another company that targets privacy regulations, TrustArc,
raised $70 million in 2019. Yoti, a startup that provides the kind of
age-verification services that regulators are increasingly turning to to shield
children from harmful content, has raised millions of dollars since it was
founded in 2014.
The
emergence of these companies shows how complex regulations governing the web
have become — and how much more complicated it is expected to get. Several
privacy laws will take effect around the world in the coming years, with more
countries and states expected to consider their own proposals.
“They are
all reactions to an underlying problem — and they all have their own flavor,
they all have their own interpretations and they all have their own focus
points,” said Bart Willemsen, an analyst at Gartner, a market research firm.
“These regulatory changes nudge organisations — in addition to perhaps any
ethical concerns they may have had — to really up their game here.”
Many of the
new companies owe their start to the General Data Protection Regulation, an EU
law passed in 2016 that pushes websites to ask their users if they agree to
being tracked online. It also mandates companies to catalog the personal data
they hold.
The European
rule was a landmark moment in the fracturing of internet regulation, putting
Europe far ahead of Washington in creating guardrails for tech.
“We’re
definitely kind of a child of GDPR,” said Dimitri Sirota, CEO of BigID, which
was founded the year the law passed. In its earliest days, BigID helped
companies map out their data holdings so they could respond to requests under
privacy laws. The company now has offices around the world, including
Australia, Israel and Switzerland.
OneTrust
also owes its birth to the European law. CEO Kabir Barday started the company
in 2016, when he saw companies preparing to comply with the rules.
Under the
European rules, websites largely must get users’ permission to use cookies, the
tiny bits of code that can be used to track people as they move around the
internet. In practice, that has meant that visitors to a website are often
presented with a pop-up menu or a banner asking them if they will agree to be
tracked.
OneTrust
helps companies add those banners to their sites. Its clients include
pocket-tool maker Leatherman, furniture titan Herman Miller and California
fashion designer James Perse, who sells $70 white T-shirts that are a favorite
of Evan Spiegel, creator of Snapchat.
In 2018, lawmakers
in California passed their own privacy rules, which gave users in the state the
right to request their personal data from websites. Demand from companies
racing to meet the California law was strong, said Barday.
“A customer
would say, ‘Kabir, we need to get started today,’” he said. “And I just said,
‘Customer, we just had, in that time period, a thousand customers in about one
quarter that came to us and just said the same thing.’”
Today,
OneTrust and its competitors advertise that they can help clients comply with
privacy laws in numerous countries, including Brazil, and in American states,
including Nevada. OneTrust hands out spiral-bound texts of the California and
European laws as swag.
Gabrielle
Ferree, a OneTrust spokesperson, said its largest customers generally choose
products at a price point that “runs in the six- to seven-figure range
annually.”
Products
meant to meet new internet regulations may vary in how effectively they
actually protect the privacy of people browsing the web, experts said.
A website
can, for example, nudge a visitor to agree to being tracked by using a more
prominent color for the button that accepts cookies than for the button that
rejects them. Or they can present a user with an uneven choice: accept ad
tracking with one click or disable it using a complicated settings menu on a
different page.
“I really
think it’s up to the businesses, and they’re well within their power to make it
easier for consumers to opt out or opt in,” said Maureen Mahoney, a policy analyst
at Consumer Reports.
Barday said
the interest of the businesses that use his products were aligned with the
interests of their customers. Companies want to reach consumers who want their
products or keep them engaged. And consumers prefer an internet experience
personalized to them and their interests, as long as websites are upfront about
collecting their data, he said.
“What we
love about this market is that capitalism and commercial interest is not at
odds with doing good for the world and doing good for people,” he said.
“If a business can show that they’re trustworthy and respectful and
transparent in how they collect that data, guess what? Consumers provide them
the data.”
The business
has faced setbacks: At the outset of the pandemic, OneTrust laid off 10 percent
to 15 percent of its 2,200 employees. Some of those employees threatened to sue
the company in Britain last year, saying they had been fired en masse for poor
performance despite never receiving bad performance reviews. Employees also told
the media that the layoffs came after Barday told his staff that no jobs were
at risk.
Ferree, the
spokesperson for OneTrust, said the company was “not exempt from the impact of
pandemic-related uncertainty in 2020.”
“Ultimately,
we had to make difficult employment decisions and strived to protect jobs for
the long term,” she said.
But OneTrust
and other companies in the industry have continued to grow. OneTrust, which is
not yet profitable, says it now has more than 10,000 customers. And it has introduced
products aimed at helping companies comply with other regulations, including
new protections for whistleblowers in Europe.
OneTrust
recently moved out of Atlanta’s city limits into an archetypical tech office
with glass-walled conference rooms, exposed ductwork and wide bullpens in the
nearby suburb of Sandy Springs.
On a recent
Thursday, a smattering of employees gathered to watch part of OneTrust’s annual
conference for its customers. They tapped away on their laptops while the
warmup act — a British duo composed of a man who spins upbeat music from a set
of turntables while his partner jams on her saxophone — played in the
background.
The DJ and
the saxophonist wrapped up and Barday appeared on the screen. In a sleek,
prerecorded video, he laid out the company’s priorities.
“No 1: Do
not lose focus on privacy because this is complex and getting more complex,” he
said.
© 2024 The
New York Times Company
